Forget Stealing Credit Cards, Now Hackers Just Straight-Up Blackmail You

While hackers tried to get rich by stealing millions of credit cards from Target, other cybercriminals have quietly tried another method to make a quick buck: Asking companies to pay them to go away.

In recent weeks, two companies have publicly described their experiences with what has become a popular hacker tactic: cyber extortion. Cybercriminals have threatened to disclose sensitive data or cripple websites unless their victims pay hundreds or even thousands of dollars in ransom.

Like kidnappers and terrorists, cyberciminals have been demanding ransoms for years. But cases of digital extortion appear to have grown more frequent in recent months and involved more high-profile victims, according to Matthew Prince, chief executive of the security firm CloudFlare.

“The brazenness of the attacks has increased and they are targeting household names,” Prince said in an interview.

Last month, an unidentified hacker threatened to cripple the website of Meetup, a social networking site with 16 million members, unless the company paid $300 in ransom.

Then employees at Basecamp, a software development firm, also got an email from an unidentified hacker who made a similar threat unless the startup paid “a relatively low amount in Bitcoin,” according to David Heinemeier Hannson, a partner at the company.

Both companies refused to pay. In response, the hackers crashed Basecamp’s service for two hours and Meetup’s site for 24 hours.

There are no statistics on how often hackers try to extort their victims because few companies ever admit it. The rare victims who do go public say they refused to pay because it would have set a dangerous precedent.

Many victims do pay, albeit quietly. More than $5 million is extorted from hacking victims each year, according to Symantec, the cybersecurity firm.

In most cyber extortion cases, victims’ websites are knocked offline for about 15 minutes. Then their site comes back online and they get an email from a hacker offering to stop the attack if the victim wires money.

“Any victim that is perceived as being able to pay is a potential target of an extortion threat,” Aquilina James Aquilina, a former federal cybercrime prosecutor said.

But he said victims should contact law enforcement instead.

“I’ve never heard of a company actually surviving a cyber extortion by paying the money,” he said. “It just delays the inevitable. It doesn’t make it go away.”